<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits" />

	<title>AT&amp;T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="AT&amp;T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/malware-red-sphere-open-graph.jpg" />
	<meta property="og:description" content="Executive summary

AT&amp;T Alien Labs&trade; &nbsp;has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.

Key Takeaways:


	BotenaGo has more than 30 different exploit&nbsp;functions to attack a target.
	The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on t" />
		

		<script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20211221850047"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />








<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>
	
	
	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}
	
	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}
	
	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}
		
		.blog-content-area {
		margin-top: 30px;
		}
		
		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}
		
		.blog-detail h1 {
    		color: #000; 
			background: transparent;
    		padding: 0px;
		}
		
		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}
		
		.blog-body {
		padding-top: 20px;
		}
		
		
		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}
	
	.blog-detail .blog-categories a {
	font-weight: 400;
	}
	
	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}
	
	.blog-listing-social {
		display: block;
	}
	
	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}
	
	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }
	  
	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }
	  
	  .st-first {
	  	margin-left: 20px!important;
	  }
	
	</style>

</head>

	<body class="listing-blog-entry-id-7490">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button class="sr-only" type="submit">Search</button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="category-subnav">
	<div class="container-fluid">
		<div class="row">
			<div class="blog-top-subnav-wrap">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a
							href="/blogs">All blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class=""><a
							href="/blogs/labs-research">AT&T Alien Labs research</a></li>
				</ul>
				<div class="blog-top-subnav-mobile-wrap">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a
							href="/blogs">All blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class=""><a
								href="/blogs/labs-research">AT&T Alien Labs research</a></li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>AT&amp;T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits</h1>
										<div class="date">November 11, 2021 &nbsp;|&nbsp; <a href="/blogs/author/ofer-caspi">Ofer Caspi</a></div>
									</div>
									<div class="blog-body">
										<h2>Executive summary</h2>

<p>AT&amp;T Alien Labs&trade; &nbsp;has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.</p>

<h3>Key Takeaways:</h3>

<ul>
	<li>BotenaGo has more than 30 different exploit&nbsp;functions to attack a target.</li>
	<li>The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.</li>
	<li>It is yet unclear which threat actor is behind the malware and number of infected devices.</li>
</ul>

<h2>Background</h2>

<p><a href="https://golang.org/" target="_blank">Golang</a> (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software.</p>

<p>According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The <a href="https://www.intezer.com/blog/malware-analysis/year-of-the-gopher-2020-go-malware-round-up/" target="_blank">site</a> suggests there has been a 2,000%&nbsp;increase in malware code written in Go being found in the wild.</p>

<p>Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.</p>

<p>As of the publishing of this article, BotenaGo currently has <a href="https://www.virustotal.com/gui/file/0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad" target="_blank">low antivirus (AV) detection rate</a> with only 6/62 known AVs seen in VirusTotal: (Figure 1)</p>

<p>&nbsp;<img alt="Botenago in VT" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_in_VT.jpg" /></p>

<p style="text-align:center">Figure 1. VirusTotal scanning results of BotenaGo malware</p>

<p>Some AVs detect these new malware variants using Go as Mirai malware &mdash; the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is &nbsp;written and the malware architectures. Mirai is a botnet that initiates its communication with its command and control (C&amp;C). It also has different DDoS functionality. The new malware strains Alien Labs has discovered do&nbsp;not have the same attack functions as Mirai malware, and the new strains only look&nbsp;for vulnerable systems to spread its payload. In addition, Mirai uses a &ldquo;XOR table&rdquo; to hold its strings and other data, as well as to decrypt them when needed &mdash; this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo.</p>

<h2>Analysis</h2>

<p>The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections.(Figure 2)</p>

<p><img alt="BotenaGo analysis" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_analysis.jpg" /></p>

<p style="text-align:center">Figure 2. BotenaGo execution output</p>

<p>It then looks for the &#39;dlrs&#39; folder in which to load shell scripts files. A loaded script will be concatenated as &#39;echo -ne %s &gt;&gt; &#39;. If the &#39;dlrs&#39; folder is missing, the malware will stop and exit at this point.</p>

<p>For the last and most important preparation, the malware calls the function &#39;scannerInitExploits&#39;, which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system.</p>

<p>The malware maps each function with a string that represents a potential targeted system &mdash; such as a signature, which we&rsquo;ll explain later in this blog (see figure 3)</p>

<p><img alt="Mapping attack functions" data-original="https://cdn-cybersecurity.att.com/blog-content/mapping_attack_functions.jpg" /></p>

<p style="text-align:center">Figure 3. Mapping attack functions to relevant vulnerable systems</p>

<h2>Exploit delivery</h2>

<p>To deliver its exploit, the malware first queries the target with a simple &ldquo;GET&rdquo; request. It then searches the returned data from the &ldquo;GET&rdquo; request with each system signature that was mapped to attack functions (as seen in figure 3).</p>

<p><img alt="BotenaGo mapping" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_mapping.jpg" /></p>

<p style="text-align:center">Figure 4. Example 1: Mapping function to the relevant system string signature</p>

<p>The string &ldquo;Server: Boa/0.93.15&rdquo; is mapped to the function &ldquo;main_infectFunctionGponFiber,&rdquo; (see figure 4) which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958 as shown in figure 5).</p>

<p><img alt="BotenaGo function" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_function.jpg" /></p>

<p style="text-align:center">Figure 5. Example 1: main_infectFunctionGponFiber function, exploits CVE-2020-8958</p>

<p>If we search the string "Server: Boa/0.93.15" in <a href="https://shodan.io" target="_blank">SHODAN</a>, results show almost 2 million&nbsp;potential targets to this attack (see figure 6). <a href="https://en.wikipedia.org/wiki/Boa_(web_server)" target="_blank">Boa</a>&nbsp;is a discontinued, open-source and small-footprint web server which is mostly suitable for embedded applications.</p>

<p><img alt="BotenaGo Shodan" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_shodan.jpg" /></p>

<p style="text-align:center">Figure 6. Example 1: Shodan search result for potential targets for specific function</p>

<p>&nbsp;Let&#39;s look on another example of a signature mapped to an attack function. We searched the string "Basic realm=\"Broadband Router\"" which is mapped to the function &ldquo;m_infectFunctionComtrend&rdquo; (see figure 7).</p>

<p><img alt="map string" data-original="https://cdn-cybersecurity.att.com/blog-content/map_string.jpg" /></p>

<p style="text-align:center">Figure 7. Example 2: mapping function to the relevant system string signature</p>

<p>A search on Shodan returns approximately 250,000 potential devices that could be attacked by this function ( see figure 8).&nbsp;</p>

<p><img alt="BotenaGo in Shodan" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_in_Shodan.jpg" /></p>

<p style="text-align:center">Figure 8. Example 2: Shodan search result for string</p>

<p>&nbsp;The function exploiting the vulnerability CVE-2020-10173 is shown in figure 9. In total, the malware initiates 33 exploit&nbsp;functions that are ready to infect potential victims.</p>

<p><img alt="BotenaGo exploit" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_exploit.jpg" />&nbsp;</p>

<p style="text-align:center">Figure 9. Example 2: Function exploiting vulnerability CVE-2020-10173</p>

<h2>Receiving directions from Command &amp; Control</h2>

<p>The malware can receive commands to target victims in two different ways:</p>

<ol>
	<li>It creates two backdoor ports: 31412 and 19412. On port 19412 it will listen to receive the victim IP. Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP (see figure 10).</li>
</ol>

<p><img alt="BotenaGo CC" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_CC.jpg" /></p>

<p style="text-align:center">Figure 10. BotenaGo backdoor ports</p>

<p>&nbsp; &nbsp; &nbsp; &nbsp;2. The malware sets a listener to system IO (terminal) user input and can receive a target through it.</p>

<p>For example, if the malware is running locally on a virtual machine, a command can be sent through telnet. The target in figure 11 is a fake web server Alien Labs set up locally.</p>

<p><img alt="Sending BotenaGo" data-original="https://cdn-cybersecurity.att.com/blog-content/Sending_BotenaGo.jpg" /></p>

<p style="text-align:center">Figure 11. Sending the malware a target to attack</p>

<p>Using this information, we can see the <a href="https://www.wireshark.org/" target="_blank">results of some of the attacks</a> with <a href="https://cybersecurity.att.com/blogs/security-essentials/network-traffic-analysis-using-wireshark" target="_blank">Wireshark</a>&nbsp;(see figures 12 and 13).</p>

<p><img alt="BotenaGo in Wireshark" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_in_wireshark.jpg" /></p>

<p style="text-align:center">Figure 12. Malware communication as seen in Wireshark</p>

<p><img alt="Communication in Wireshark" data-original="https://cdn-cybersecurity.att.com/blog-content/communication_in_Wireshark.jpg" /></p>

<p style="text-align:center">Figure 13. Malware communication as seen in Wireshark</p>

<p>The new BotenaGo malware exploits more than 30 vulnerabilities. Below, Alien Labs has listed some of the CVE numbers of vulnerabilities that can be exploited. In addition, some of the vulnerabilities have been disclosed without CVE.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:2px solid black; width:312px">
			<p style="text-align:center">Vulnerability</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:2px solid black; width:337px">
			<p style="text-align:center">&nbsp;Affected devices</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-8515</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2015-2051</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2016-1555</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2017-6077</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>NETGEAR DGN2200 devices with firmware through 10.0.0.50</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2016-6277</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2018-10561, CVE-2018-10562</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>GPON home routers</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2013-3307</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Linksys X3000 1.0.03 build 001</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-9377</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>D-Link DIR-610</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2016-11021</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>D-Link DCS-930L devices before 2.12</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2018-10088</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>XiongMai uc-httpd 1.0.0</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-10173</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2013-5223</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>D-Link DSL-2760U Gateway</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-8958</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2019-19824</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-10987</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Tenda AC15 AC1900 version 15.03.05.19</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2020-9054</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2017-18368</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2014-2321</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>ZTE F460 and F660 cable modems</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:312px">
			<p>CVE-2017-6334</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:337px">
			<p>&nbsp;NETGEAR DGN2200 devices with firmware through 10.0.0.50</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>The payload</h2>

<p>As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload.&nbsp; At time of analysis, all the payloads had been removed from the hosted servers by the attacker(s), and so Alien Labs could not analyze any of them.</p>

<p>BotenaGo does not have any active communication to its C&amp;C, which raises the question: how does it operate? Alien Labs has a few theories on how the malware is being operated and receives a target to attack (the attacker could be using one or a mix of the actions below):</p>

<ol>
	<li>The malware is part of a "malware suite" and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&amp;C with a new victim&rsquo;s IP.</li>
	<li>The links used for the &nbsp;payload on a successful attack imply&nbsp;a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with&nbsp;the attacker(s) operating the&nbsp;infected end-point with targets.</li>
	<li>This malware is still in beta phase and has been accidently leaked.</li>
</ol>

<h2>Recommended actions</h2>

<ol>
	<li>Maintain your software with the latest security updates.</li>
	<li>Ensure minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.</li>
	<li>Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.</li>
</ol>

<h2>Conclusion</h2>

<p>Malware authors continue to create new techniques for writing malware and upgrading its capabilities. In this case, new malware writing in Golang (which Alien Labs has named BotenaGo) can run as a botnet on different OS platforms with small modifications.</p>

<h2>Detection methods</h2>

<p>The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:552px">
			<p>SURICATA IDS SIGNATURES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000898: AV EXPLOIT Netgear DGN2200 ping.cgi - Possible Command Injection ( CVE-2017-6077 )</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027881: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027882: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001142: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001143: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup - Possible Command Injection (CVE-2017-6334)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>Associated indicators (IOCs)</h2>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the <a href="https://otx.alienvault.com/pulse/61894367200f8ce537dda952">OTX Pulse</a>. Please note, the pulse may include other activities related but out of the scope of the report.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:97px">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:311px">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:216px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; width:311px">
			<p>0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; width:216px">
			<p>BotenaGo malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/shell/wget.sh</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://rippr[.]cc/u</p>

			<p>&nbsp;</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/b</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://37[.]0.11.220/g+-O-</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/l</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/a/wget.sh</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/multi/wget.sh</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.mips</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>URL</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>http://37[.]0.11.220/a/wget.sh</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload download link</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0008: Lateral Movement
	<ul>
		<li>T1210: Exploitation of Remote Services</li>
		<li>T1570: Lateral Tool Transfer</li>
	</ul>
	</li>
	<li>TA0011: Command and Control
	<ul>
		<li>T1571: Non-Standard port</li>
	</ul>
	</li>
</ul>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">
											
										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>
							
							
							
								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/alien+labs" title="alien labs" rel="nofollow">alien labs</</p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_377_1.jpeg" width="150" height="150" alt="Ofer Caspi" />
									
              <div class="footer_featured_article_author_data">
                <h4>Ofer Caspi</h4>
                <time datetime="2021-02-23">Dec 23, 2021</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/labs-research/holiday-shopping-get-an-amazing75-discount-offer-a-case-study-on-a-suspicious-websiteoffering-special-holiday-sales" id="footer-link-blog-post">Holiday shopping? Get an amazing 75% discount offer? A case study on evaluating a special holiday sale  </a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">Linkedin</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">USM for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2021</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Do Not Sell My Personal Information</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20211221850047" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/2egU/Wdpn/GK/iIu0/Qw2w/Eab1DJkQ/UQF7/aUkrEWoA/QAUC"></script></body>
</html>
<!-- Debug: total time - 0.0020270347595215 -->